Automatically roll out IAM Root Access Management
With the introduction of root access management, AWS organisation owners can now securely manage root account credentials centrally. For some larger enterprises enabling this across the organisation is a slow and click heavy rollout. I will provide steps on how we can automate the enablement and rollout of this across an organisation.
Published Nov 26, 2024
Last Modified Nov 28, 2024
Managing root credentials at scale has always been a tiresome process, with the recommendation to use hardware MFA an added hurdle. We used to overcome this quite easily when engineers were in the office, an engineer would follow a simple, but time consuming process
- Check out the hardware MFA key out of the safe location
- Create the account - using IaC
- Reset the password on the account - storing this in a centralised password manager
- Log in to the account and set up the hardware MFA
- Re-check the key back
When COVID hit, we adapted into a remote first way of working but this made it ever so difficult to manage and we felt we were always chasing down accounts to enable MFA. This eventually lead to our TAM's chasing us when accounts slipped out of the net.
The introduction of Root Access Management has eradicated this process and, once enabled, all newly created accounts are safe - even password reset functionality is disabled.
For older accounts, we can use the UI to manually remove the credentials across each account, but with a large number of accounts clicking around in the UI and manually enabling each account was not an option.
To roll this automatically I wrote a simple python application that will allow me to open up a cloudshell on the management account, check out a repo and leave it to it. It comes with skip flags for each item that is being removed and a dry mode to show what will happen across the org.
Usage example
1
2
3
git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management
cd root-account-management
python3 ./main.pySkip signing certificates
1
2
3
git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management
cd root-account-management
python3 ./main.py --skip-signing-certificatesIt's as simple as that, but if you want the details of how it works, continue reading.
The meaty bit - broken down
Essentially, what we are doing is - enabling root access management, iterating over each account, assuming root and running the disables.
Enabling root access management
1
2
3
aws organizations enable-aws-service-access --service-principal iam.amazonaws.com
aws iam enable-organizations-root-credentials-management
aws iam enable-organizations-root-sessionsIterating each account and for each account:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
aws sts assume-root --target-principal <account_id> --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials --duration-seconds 900
# Use the credentials given in the next commands
aws iam get-login-profile
# if exists
aws iam delete-login-profile
aws iam list-access-keys
# iterate
aws iam delete-access-key --access-key-id <access_key_id>
aws iam list-signing-certificates
# iterate
aws iam delete-signing-certificate --certificate-id <certificate_id>
aws iam list-mfa-devices
# iterate
aws iam deactivate-mfa-device --serial-number <serial_number>Comments
Log in to comment